New Rules of the Road Can Sustain US Leadership on Interoperable Digital Data Flows

Mar 11, 2024 by Dr. Divya Sridhar, Vice President, Global Privacy Division and Privacy Initiatives Operations, BBB National Programs

President Biden closed February 2024 with an Executive Order (EO) that signaled an important development for how the U.S. plans to position and guard itself – through new rules established by the Department of Justice - against global adversaries such as China, Iran, and Russia. The EO speaks volumes about how the U.S. views the next-generation impacts of data flows on the digital economy and how our nation can be better equipped as a global leader. 

Meanwhile, a slew of Congressional actions, including newly introduced bills out of the House Energy & Commerce Committee, are also tackling the same considerations, aspiring to solve the issue of the overcollection, sharing, and sale of consumers’ personal data, including sensitive data by certain third parties, defined loosely as “data brokers.”

The news comes on the heels of recent Congressional hearings about the nature, data privacy practices, and potential misuse of foreign-owned companies such as TikTok that have a bulk of American users and their respective sensitive data.

 

The Takeaways 

The United States is not declaring a position of data localization. 

“Data free-flow with trust” remains the essential guiding principle for the international cooperation on data flows, coming out of the World Economic Forum’s meetings, as well as meetings with the G7, G20, and OECD in recent years. 

The United States is not trying to close off digital data flows or close up into a cocoon of its own. Rather, it is setting restrictions that impose stronger safeguards to uphold its position as a world leader and continue to do business with other countries that follow the same guiding principles. For example:

  • The U.S. recently reworked its agreement with the European Union on the Data Privacy Framework (DPF) on all transatlantic data flows, with a strengthened U.S. Data Protection Review Court, to further mitigate the risk of a Schrems-like debate, ruling, or violation. 
  • The U.S. Federal Trade Commission (FTC) has offered its handshake by signing onto the Global Cooperation Arrangement for Privacy Enforcement (CAPE) agreement on the Cross Border Privacy Rules program, which is soon to go global in nature. 

 

The economic consequences are meant to sustain and promote the digital economy, not shrink it. 

While the EO does not include an exact fiscal impact or dollar value attached to it, the agreement does signal the U.S. taking a more cautious approach toward data protections, which could have important short-term repercussions on digital data flows, especially for U.S.-headquartered multinational companies working with international vendors and third parties (located and subject to other nations’ laws) that were not under previous restrictions. This is particularly true for U.S. companies operating on many different standards and frameworks, all in the absence of a U.S. comprehensive federal privacy law.

The EO builds global uniformity on how regulators view “privacy.” 

Definitions vary when it comes to how personal information is defined, how “sensitive” or “special category” data is defined, and how that data is shared between affiliated and nonaffiliated entities. For example, the FTC recently stated that “browsing and location data are sensitive. Full stop.” 

The FTC is taking the position that collecting and sharing web browsing data -- without consent -- is a problem. This poses some challenges for companies to clearly determine where they are crossing a line in different jurisdictions. At the same time, the EO provides further clarity for companies that aren’t currently involved in any data mapping or data review practices, but should be referencing interoperable frameworks such as the global CBPR to gather a sense of the shared meaning.

The EO may create the opportunity for newer, stronger, and more secure approaches to data privacy.

The candid expectation set by the EO is that AI-based malware, spoofing, and cyber threats are rampant, particularly in nations where data privacy controls are lax or the data of U.S. consumers can be more easily accessed by foreign governments because these governments claim national security exemptions, allowing them strategic access to manipulate the data. 

But the EO also provides hope, noting a process to build new regulations that will standardize the use of privacy-enhancing technologies (PETs) through joint efforts by the DOJ and the Department of Homeland Security. The field of PETs has already been defined and loosely framed through guidance by the National Institute of Standards and Technology, so this effort underway by the EO can strengthen the potential use of the tech. 

PETs, which leverages advanced cryptography and statistics to link data (or servers) to allow for responsible data sharing without identifying the data, can include a range of tools such as homomorphic encryption, federated learning, synthetic data, and differential privacy. It is likely that the EO will provide more clarity on the minimum privacy and security requirements – and use of PETs - that companies should be leveraging, which will craft more innovative solutions to data privacy problems.

 

Future Considerations

While the EO focuses on restricting the bulk purchase and sharing of sensitive data, the EO also leaves a trail of unanswered questions.

  • “Sensitive data” is defined to include “genomic and personal health data, financial data, geolocation,” and other personal identifiers, as well as sensitive government data of military members and government sites. Will this sensitive data also be subject to protections in recently passed U.S. state consumer privacy laws, data broker registration laws, as well as older sectoral laws like the Health Information Portability and Accountability Act (HIPAA) or title V of the Gramm–Leach–Bliley Act (GLBA)?
  • “United States Government-Related Data” is a specific category of data protected under the order that the “Attorney General determines poses a heightened risk of being exploited by a country of concern to harm United States national security,” due to being linked or linkable to categories of current or recent employees, contractors, or senior officials of the U.S. Federal Government or linkable to sensitive locations controlled by the government (i.e., military bases, government properties, etc.). To what extent will America’s list of foreign adversaries and allies continue to change and evolve over time? How will this impact our digital trade and digital data flows with these nations?
  • “Data brokers” is a term defined broadly, capturing a wide swath of third parties that process and share consumer data. Will this result in subjecting many more companies that collect and sell personal data to the EO than those that register as data brokers, subject to U.S. state consumer privacy and data broker laws?
  • “Countries of Concern” is defined as any foreign government that (1) “has engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or the security and safety of [US] persons” and (2) “poses a significant risk of exploiting bulk sensitive personal data or government-related data to the detriment of national security.” The EO delegates final authority to designate specific countries of concern to the Attorney General. How will the current and future AGs exercise this authority?

 

Maintaining adequacy in data protection should and will remain a top priority for the U.S., particularly in light of executive action like this one. The uncertainty of the state of transatlantic data flows after the Schrems I and II decisions has placed U.S. data practices under heightened scrutiny. This EO not only signals a desire to make concrete steps to not only protect the commercial and government data of its own citizens, but also signals that the U.S. seeks to partner with other likeminded countries to impose robust data practices that are “adequate” in nature, which will serve as an effort to future-proof and strategically equip the U.S. going forward.

Stay tuned as this landscape continues to evolve. For U.S. companies interested in checking in on compliance for this and other international data transfer laws and requirements, set up a free consultation with BBB National Programs. Building on more than 20 years of experience with cross-border data transfers, BBB National Programs supports businesses of all sizes at all stages of their compliance journey. 

Suggested Articles

Blog

Old MacDonald Had an Engagement Farm: Lessons Learned from FTC v. NGL

Capturing user engagement is the foundation of internet commerce. And while the incentives to prompt greater engagement are certainly understandable, the recent NGL Labs case from the FTC raises important questions about the ethical and legal ramifications when companies try to artificially generate engagement among their userbase.
Read more
Blog

Independence Day Edition: CBPR Framework Offers “Checks & Balances”

Going, Going, Gone Global, a webinar on the CBPR Global Forum, delved into how privacy impacts businesses’ brand reputation and builds trust with key stakeholders, discussed the purpose of the Global CBPR, and its value to Global Forum members.
Read more
Blog

Industry Self-Regulation: Part of the Solution for Governing Generative AI

The spotlight on generative AI remains bright. The benefits and risks continue to be ever-present in the minds of business and political leaders. No matter the timing or the setting, the creation of transparency, accountability, and collaboration among stakeholders is key to successful industry self-regulation as is the importance of setting standards and best practices.
Read more
Blog

The Demise of “Chevron Deference”: Who Will Fill the Regulatory Gaps?

The Supreme Court's 1984 ruling in Chevron v. NRDC held that courts should defer to federal agencies’ interpretations of ambiguous federal laws so long as those interpretations are reasonable. So given the court’s decision to overturn it, where does that leave companies that want a level playing field and perhaps even to raise the bar, instead of racing to the bottom?
Read more